Items 0

Tunneling & VPN

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions.

A virtual private network connection across the Internet is similar to a wide area network (WAN) link between sites. From a user perspective, the extended network resources are accessed in the same way as resources available within the private network.

Computer networks use a tunneling protocol when one network protocol (the delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network.

Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. Typically, the delivery protocol operates at an equal or higher level in the model than does the payload protocol.

To understand a particular protocol stack, network engineers must understand both the payload and delivery protocol sets.

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP Protocol Number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network.

In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol (L2TP), which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data-link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.

Tunneling protocols may use data encryption to transport insecure payload protocols over a public network (such as the Internet), thereby providing VPN functionality. IPsec has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway.


Enterprise VPN's have used various methods to secure communication depending on the environment and the economics of the access technology. This session describes how Group Encrypted Transport (GET) can be used to provide secure communications across most VPN technologies in order to comply with security policies established by government organizations and enterprise security departments. This session describes the system components, methods, and protocols used to establish group encryption methods. GET deployment methods are highlighted that address different connectivity technologies such as wireless LTE, LISP, and TrustSec. New capabilities are highlighted including reliability enhancements, scalability enhancements, and routing state synchronization. The session closes with a preview of future directions and enhancements anticipated for GET VPN services.


This session features a detailed analysis of the architectural aspects, implementation details and deployment benefits behind the Overlay Transport Virtualization (OTV) technology recently introduced by Cisco. The attendees will learn how OTV, an industry first solution, significantly simplifies Data Center Interconnect (DCI) deployments by extending Ethernet LANs between multiple sites over any network, making multiple data centers look like one logical data center. The attendees will learn how OTV is aimed at providing Layer 2 connectivity beyond the Layer 3 boundary while maintaining the scalability, failure containment and operational simplicity that the Layer 3 boundary provides. OTV involves foundational changes to the learning and forwarding principles of traditional VPN technologies. OTV is a "MAC in IP" technology where the MAC address reachability information is conveyed in a control protocol. The OTV architecture is discussed in detail, giving the attendee a clear understanding of the technical aspects of the technology. The multiple benefits achieved by OTV are discussed in detail during the session. Some of the improvement areas examined in the discussion include core transparency, multi-homing, loop prevention, failure isolation, high availability, bandwidth optimization, etc. This session does NOT cover the technical aspects of the traditional Layer 2 VPN technologies such as EoMPLS, VPLS, etc. Target Audience: Those responsible for the Design, Deployment, Operations, and Management of SP, Enterprise and Data Center Networks will find this session informative and useful.


This session describes the implementation of IP Virtual Private Networks (IP VPNs) using MPLS. It is the most common Layer 3 VPN technology, as standardized by IETF RFC2547/4364, realizing IP connectivity between VPN site and MPLS network.


We would like to combine Adv IKEv2 Proto talk and Crypto & Internet talk to address VPN protocols specifically. This session will give an overview of the ISAKMP (IKEv1) protocol for comparison and then go into a detail examination of the IKEv2 including algorithms, packet flow and packet bits and bytes. It will include information on the standard payloads and and some of the extended/proposed payloads. This session is Network Architects and Engineers who need to understand the IKEv2 protocol at the packet level for troubleshooting.


FlexVPN is Cisco's unified Crypto VPN, the natural evolution of DMVPN and Easy VPN based on IKEv2. In this session, we will demonstrate how FlexVPN works for multiple scenarios such as  Site-to-Site, Remote Access,  Hub&Spoke, and Spoke-to-Spoke shortcut. This breakout covers design recommendations for scalable, redundant designs and all IPv6/IPv4 scenarios. This session is targeted towards Network Architects and Designers,  who need to deploy Crypto VPN in a variety of environments.


DMVPN is expanding in the industry and within the CCIE routing and switching practical exam. This session is to cover the general operation and theory of DMVPN and how it may be used within the Route & Switching CCIE practical exam. This session will not look at real world applications, but at examples of how it may be presented within an exam with the current blueprint. This session will include: Dynamic Multipoint VPN with and without IPsec; potential issues with routing protocols, such as EIGRP, and OSPF; support for IPv6; Troubleshooting DMVPN; CCIE R&S practice examples.


This session covers advanced concepts of the Dynamic Multipoint VPN (DMVPN) solution. It starts with an overview of DMVPN functionality; DMVPN hub-and-spoke and dynamic spoke-spoke (Phase 2 and Phase 3) networks. This includes DMVPN network design concepts, choosing a routing protocol and scaling with respect to routing, encryption and redundancy. The talk then continues with an SDN style use case, where the DMVPN Smart-Spoke feature is used to provide simplified QoS for spoke-to-spoke tunnels. This session is for designers and managers of extended corporate DMVPNs and for service providers that are deploying these services for their customers.


This session presents a methodical technique for troubleshooting Dynamic Multipoint VPN (DMVPN) networks. The session starts with a short overview of DMVPN functionality and then concentrates on a four-layer troubleshooting methodology. These four layers are IP infrastructure layer (peer connectivity), IPsec encryption layer (IPsec/ISAKMP), GRE/NHRP layer (NHRP), and the VPN layer (IP routing protocols). Explicit troubleshooting examples with solutions are shown that are based on the most common DMVPN design and implementation issues as seen by Cisco Technical Assistance Center (TAC) engineers. This session is for designers, managers, and troubleshooters of extended corporate DMVPNs and for service providers deploying these services.


This session presents a technical deep dive of Ethernet VPN (E-VPN) and Provider Backbone Bridging E-VPN (PBB-EVPN). This session will cover the detailed operation of E-VPN / PBB-EVPN including forwarding, multi-homing, aliasing, multicast and fast convergence. The session is intended for service providers or enterprises looking to deploy next generation L2VPN solutions for Carrier Ethernet or Data Center Interconnect services. This is a session that assumes familiarity with MPLS-based L2VPNs and BGP.